5. Keylogging malware

Where systems have been infected with keylogging malware such as Zeus (also known as Zbot or wsnpoem), additional safeguards are necessary in order to reduce the potential for attackers to abuse any credentials that they may have gathered. We have seen many examples of University accounts being abused, sometimes over a period of many months, and must take reasonable measures to prevent this occuring.

As of January 2010, OxCERT now expect ITSS to take the following measures in dealing with instances of keylogging malware:
  • All Oxford University passwords that have been entered on a system that has suffered a keylogger attack must be changed.
  • OxCERT will request the usernames of people who have or are likely to have used the attacked machine within 30 days so that those details can be used to trace other incidents.
  • Remote Access accounts will have their password randomized so that once an account is unblocked the user can set a new password using online self-registration.
  • As with any such attack it is extremely likely that other passwords, including including those for other services within the University, online banking etc., will have been disclosed. Please make sure affected users are aware of and understand the guidance at http://www.oucs.ox.ac.uk/network/security/keyloggers.xml

In cases of infections on managed systems, logs should be available to determine recent users of a system. For personally-owned systems then the only way to determine who else may have used it will likely be to ask the machine's owner. In general it will not be possible to determine how long ago a system was compromised. A compromise may have occurred considerable time before OxCERT detected it; this is particularly likely with systems which are used on multiple networks. Alternatively OxCERT may have only detected one of several several malware items on the system. In the absence of other information, we consider thirty days a reasonable period, for which logs (or the user's memory!) may reasonably be expected to be available.

Ultimately users have to be responsible for the security of their own passwords and other private data. Nevertheless it is important to ensure that they understand the reasons for taking action and the possible implications of not doing so, and we encourage ITSS to assist with this.

While we shouldn't ignore users' security on external systems such as online banking or Google Mail, our chief concern is with that of the University network and hence it is important to ensure that passwords for any system on the University network are changed. Users may have passwords for their own computer, central OUCS systems, systems both in college and within their department, and potentially other parts of the University such as Libraries or BSP.

Up: Contents Previous: 4. Security blocks Next: 6. Excessive traffic notifications